The State of Israel has developed exceptional cyber capabilities that surpass all other nations within the MENA region. In January 2017, Prime Minister Benjamin Netanyahu declared that Israel had become one of the top five global cyber powers. Israel conducts covert cyber operations that are strictly classified and rarely formally acknowledged. So, beyond the infamous Stuxnet virus, what do publicly available sources reveal about state-sponsored hackers within Israel?

To gain a better insight into the covert cyber activity of this geographically small but powerful nation, this blog post will examine the status of the Israeli cyber security sector, the role of the Israeli intelligence community and potential links to high-profile campaigns.

The Clue is in the Tech Sector

A glance at the technology sector around Tel Aviv (Silicon Wadi) immediately suggests that something special is happening in the country. Israel is frequently described as the “Start-Up Nation”. There are thousands of fledgling high-tech enterprises across Israel; Reuters reported that there are at least 450 active cyber security start-ups alone. Many of these companies develop network security applications, firewalls and, in some instances, government surveillance tools.

The thriving high-tech industry has attracted multinational firms including Microsoft, Google, Apple and IBM. A vast innovation centre is being constructed on the outskirts of Beersheba in the Negev desert; the Advanced Technologies Park (ATP) will bring together cutting-edge research conducted by academics at Ben Gurion University with the pioneering technology developed by Israeli start-up companies.

More significantly, the innovation centre will become home to the new headquarters of the Intelligence Directorate and Communications Division of the Israeli Defence Force by 2020.

The influence of Unit 8200

It is widely known that Israeli citizens are required to undertake mandatory military service within the Israeli Defence Force (IDF). Many of the start-up firms in the Israeli cyber security ecosystem consist of individuals who bring technical expertise from their experience within the IDF, particularly the renowned Unit 8200. This shadowy unit has been described as an incubator for the Israeli high-tech sector.

Unit 8200 (formerly Unit 848) is an elite signals intelligence (SIGINT) corps within the Main Intelligence Directorate (AMAN) of the IDF. The original unit was initially formed in 1952 and modelled on the United States National Security Agency (NSA). There are an estimated 5,000 personnel in Unit 8200, many of whom are selected after demonstrating technical potential in extracurricular classes like the Magshimim Cyber program. Unit 8200 serves as the main central intelligence collection service in Israel and specialises in electronic warfare and code decryption. Communications data is gathered from the EMEA region using an array of satellite dishes spread across Israel.

Although the offensive cyber operations of Unit 8200 will evidently remain a closely guarded secret, a former commander of the unit was quoted in Forbes, stating that: “there isn’t a major operation, from the Mossad or any intelligence security agency, that 8200 is not involved in.” There are many publicly documented incidents that appear to support this position:

Stuxnet (2005-2010): According to the testimony of officials involved in the disruptive cyber attack on the Natanz nuclear facility in Iran, the Stuxnet virus was part of a joint operation (Operation Olympic Games) between the United States and Israeli intelligence services. Unit 8200 purportedly collaborated with the NSA whilst operating under the abbreviation ISNU (Israeli SIGINT National Unit).

Operation Full Disclosure (March 2014): An Iranian ship carrying military arms and equipment was interdicted in the Red Sea by IDF Commandoes, on the basis of intelligence obtained through “advanced cyber and communications capabilities”.

Ogero Incident (May 2017): The Lebanese government accused Israel of launching a sophisticated cyber attack on the state telecommunications company Ogero to proliferate disinformation through mass phone calls to Lebanese citizens.

ISIS plot thwarted (February 2018): The IDF reported that Unit 8200 had shared intercepted communications with the Australian authorities to undermine a potential terrorist attack by ISIS against a civilian aircraft.

Further units within the Military Intelligence Directorate and Cyber Defence Directorate (J6/C4i) are responsible for offensive and defensive aspects of cyber security within the IDF. Other branches of the Israeli intelligence community including the Foreign Intelligence Service (Mossad) and Domestic Intelligence Agency (Shin Bet) are also suspected to have internal cyber capabilities.

Reappraising the Unattributed Campaigns

In the last decade, security researchers have documented a series of covert cyber espionage campaigns primarily targeting entities within the MENA region. The threat actors responsible for the campaigns remain unknown although the targeted sectors and complexity of the attacks are highly likely to indicate nation-state involvement.

Many of the campaigns involve malware with plugins, development frameworks or exploits that share similarities with one another. Some of the malware campaigns also share technical links to the Stuxnet virus.

Flame (2007-2012): Multi-functional modular malware evidently produced by a sophisticated team for the purposes of cyber espionage. The target geography included Iran, Israel and the Palestinian territories. The malware allegedly infected Iranian oil facilities.
The Flame malware was reported to share a common plugin with Stuxnet. A (an older version of the Stuxnet worm). An article by the Washington Post suggests that the purpose of the Flame cyber espionage campaign was to provide intelligence for the Stuxnet cyber attack.

Duqu (2009-2011): Complex multi-stage malware primarily targeting industrial systems manufacturers across twelve countries including Iran and Sudan. A certificate authority in Hungary was also reportedly infected.
The Duqu malware shared a common development platform (the ‘Tilded’ framework) with Stuxnet.

Gauss (2011-2012): Modular malware intended for the theft of system information and credentials, primarily targeting Lebanon, with other infections in Israel and Palestine. The malware contained a module for obtaining Lebanese bank credentials and a large encrypted payload that could only be decoded on the intended target.
The malware exploited a vulnerability also targeted by Stuxnet and Flame (CVE-2010-2568).

miniFlame (2012): Precision cyber espionage malware targeting less than one hundred machines in Lebanon, Iran, Kuwait, Qatar and the Palestinian Territories.
The miniFlame backdoor was identified to be one of four malware clients that communicate on the same C2 protocol as Flame. The miniFlame malware operates as a previously unknown module in Flame and Gauss.

The combination of technical analysis, target geography and internal links between the cyber espionage campaigns as well as Stuxnet, indicates the realistic possibility of involvement by the Israeli security services. However, it is unlikely that the specific groups associated with the cited cyber espionage campaigns will ever be identified with anything more than moderate certainty.

The continued geopolitical hostilities between Israel and the Palestinian territories as well as Iran, Lebanon and Syria are highly likely to facilitate further sophisticated cyber espionage operations in the near-future. Look out for flashpoints involving the Syrian Civil War and the Iranian nuclear agreement (JCPoA).